Home | | Information Security | Security and Personnel

Chapter: Information Security : Physical Design

Security and Personnel

When implementing information security, there are many human resource issues that must be addressed: Positioning and naming, Staffing

SECURITY AND PERSONNEL

 

Introduction

 

When implementing information security, there are many human resource issues that must be addressed

 

Positioning and naming

 

Staffing

 

Evaluating impact of information security across every role in IT function

 

Integrating solid information security concepts into personnel practices

 

Employees often feel threatened when organization is creating or enhancing overall information security program

 

Positioning and Staffing the Security Function

 

The security function can be placed within:

 

IT function

 

Physical security function

 

Administrative services function

 

Insurance and risk management function

 

Legal department

 

Organizations balance needs of enforcement with needs for education, training, awareness, and customer service

 

 

Staffing The Information Security Function

 

Selecting personnel is based on many criteria, including supply and demand

 

Many professionals enter security market by gaining skills, experience, and credentials

 

At present, information security industry is in period of high demand

 

Qualifications and Requirements

 The following factors must be addressed:

 

Management should learn more about position requirements and qualifications

 

Upper management should learn about budgetary needs of information security function

 

IT and management must learn more about level of influence and prestige the information security function should be given to be effective

 

Organizations typically look for technically qualified information security generalist

 

Organizations look for information security professionals who understand:

 

How an organization operates at all levels

 

Information security usually a management problem, not a technical problem

 

Strong communications and writing skills

 

The role of policy in guiding security efforts

 

Organizations look for (continued):

 

Most mainstream IT technologies

 

The terminology of IT and information security

 

Threats facing an organization and how they can become attacks

 

How to protect organization’s assets from information security attacks

 

How business solutions can be applied to solve specific information security problems

 

Entry into the Information Security Profession

 Many information security professionals enter the field through one of two career paths:

 

Law enforcement and military

 

Technical, working on security applications and processes

 

Today, students select and tailor degree programs to prepare for work in information security

 

Organizations can foster greater professionalism by matching candidates to clearly defined expectations and position descriptions

 

Information Security Positions

 Use of standard job descriptions can increase degree of professionalism and improve the consistency of roles and responsibilities between organizations

 

Charles Cresson Wood’s book Information Security Roles and Responsibilities Made Easy offers set of model job descriptions

 

Chief Information Security Officer (CISO or CSO)

 

-        Top   information security       position;     frequently   reports        to

 

Chief Information Officer

 

Manages the overall information security program

 

Drafts or approves information security policies

 

Works with the CIO on strategic plans

 

Chief Information Security Officer (CISO or CSO) (continued)

         

Develops information security budgets

 

Sets priorities for information security projects and technology

 

Makes recruiting, hiring, and firing decisions or recommendations

 

Acts as spokesperson for information security team

 

Typical qualifications: accreditation; graduate degree; experience

 

Security Manager

 

Accountable for day-to-day operation of information security program

 

Accomplish objectives as identified by CISO

 

Typical qualifications: not uncommon to have accreditation; ability to draft middle and lower level policies, standards and guidelines; budgeting, project management, and hiring and firing; manage technicians

 

Employment Policies and Practices

 

Management community of interest should integrate solid information security concepts into organization’s employment policies and practices

 

Organization should make information security a documented part of every employee’s job description

 

From information security perspective, hiring of employees is a responsibility laden with potential security pitfalls

 

CISO and information security manager should provide human resources with information security input to personnel hiring guidelines

 

Termination

 

When employee leaves organization, there are a number of security-related issues

 

Key is protection of all information to which employee had access

 

Once cleared, the former employee should be escorted from premises

 

Many organizations use an exit interview to remind former employee of contractual obligations and to obtain feedback

 

Hostile departures include termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting

 

 

Before employee is aware, all logical and keycard access is terminated

 

Employee collects all belongings and surrenders all keys, keycards, and other company property

 

Employee is then escorted out of the building

 

Friendly departures include resignation, retirement, promotion, or relocation

 

Employee may be notified well in advance of departure date

 

More difficult for security to maintain positive control over employee’s access and information usage

 

Employee access usually continues with new expiration date

 

Employees come and go at will, collect their own belongings, and leave on their own

 

Offices and information used by the employee must be inventoried; files stored or destroyed; and property returned to organizational stores

 

Possible that employees foresee departure well in advance and begin collecting organizational information for their future employment

 

Only by scrutinizing systems logs after employee has departed can organization determine if there has been a breach of policy or a loss of information

 

If information has been copied or stolen, action should be declared an incident and the appropriate policy followed


Study Material, Lecturing Notes, Assignment, Reference, Wiki description explanation, brief detail
Information Security : Physical Design : Security and Personnel |


Privacy Policy, Terms and Conditions, DMCA Policy and Compliant

Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.